As many of you know from previous posts, I am a big fan of honeypots, particularly Kippo. My main Kippo instance sitting in AWS has been online for over a year now. Let's take a look at what we have captured and learned over this past year. If you want to validate any of these statistics I have made the raw logs available for download.

Passwords:

One of my favorite uses of kippo data is to generate wordlists from login attempts. I wrote a quick script to parse the kippo logs and pull out all passwords and unique them into a wordlist. Feel free to grab. Additionally I made the wordlists available for download.

Using Pipal I performed analysis of all the login attempts over this year:

Two items of note here are that over 60% of password attempts were 1-8 characters. 40% of attempts were for lowercase alpha characters only. The most used password was 123456. This is the default pass for Kippo.

If a user attempts to create an account or change the root password in a Kippo session those passwords are captured and added to the allowed credentials list. The following credentials were created:

root:0:albertinoalbert123

root:0:fgashyeq77dhshfa

root:0:florian12eu

root:0:hgd177q891999wwwwwe1.dON

root:0:iphone5

root:0:kokot

root:0:nope

root:0:picvina

root:0:scorpi123

root:0:test

root:0:xiaozhe

root:0:12345

root:0:bnn318da9031kdamfaihheq1fa

root:0:ls

root:0:neonhostt1

root:0:wget123

Downloads:

When an attacker attempts to download a tool via wget, within Kippo we allow that file to be downloaded, although they cannot interact with it. With this we are able to get a copy of whatever is being downloaded. In most cases these are IRC bots, but not all. I have made them all available for download.

Here is a listing of all the files:

*Duplicates and obviously legitimate files have been removed from the list.

TTY Replay Sessions:

My absolute favorite feature of Kippo is the ability to replay interactive sessions of attacker activity. Watching these replays gives us an idea of what attackers do once inside a session. For instance almost every session begins with a "w" which shows logged in users and uptime, and then a "uname -a" to show them system details. I made a Youtube series called The Kippo Kronicles a while back to showcase some of these sessions. While I don't have the time necessary to continue putting up videos for each session I have put the output of each session up at this Github Repo.

Conclusion:

After a year with Kippo, I have learned a lot about what these basic attackers do when connecting to seemingly open ssh hosts. There is plenty more to learn though. I have some plans on building out a larger honeypot infrastructure, and automating some of the data collection and parsing. Additionally I would like to spend more time analyzing the sessions and malware for further trends. I'll keep you all posted!

Reader Comments (1)

Hi,Nice catches. I run a couple of kippo instances and I am soon to begin running a number of hosts with vulnerable web applications, both old with vulnerabilities and newer with easily guessable passwords. I want to capture and generate statistics about the general anatomy of these hacks. I have quite interesting ideas to sort of combat these hacks using defense mechanism (while leaving the vulnerable applications in place), those fights if you like will most likely yield interesting results and knowledge.If you would like to discuss a potential collaboration contact me.